Amendments to the Claims 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

Listing of Claims: 



1. (Canceled). 

1 2. (Currently Amended) The method of claim 4 129 , wherein one of said chains of 

2 group credentials comprise one or more proofs of group membership. 

1 3. (Original) The method of claim 2, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 4. (Original) The method of claim 2, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 5. (Currently Amended) The method of claim 4 129, wherein one of said chains of 

2 group credentials comprise one or more proofs of group non-membership. 

1 6. (Original) The method of claim 5, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 7. (Original) The method of claim 5, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

8.-12. (Canceled). 

1 1 3. (Currently Amended) The method of claim 45 132, wherein one of said chains of 

2 group credentials comprise one or more proofs of group membership. 
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1 14. (Original) The method of claim 1 3, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 1 5. (Original) The method of claim 1 3, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 1 6. (Currently Amended) The method of claim 42- 132, wherein one of said chains of 

2 group credentials comprise one or more proofs of group non-membership. 

1 1 7. (Original) The method of claim 1 6, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 1 8. (Original) The method of claim 1 6, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

19.-23. (Canceled). 

1 24. (Currently Amended) The system of claim 23 135, wherein one of said chains of 

2 group credentials comprise one or more proofs of group membership. 

1 25. (Original) The system of claim 24, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 26. (Original) The system of claim 24, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 27. (Currently Amended) The system of claim 24 135, wherein one of said chains of 

2 group credentials comprise one or more proofs of group non-membership. 

1 28. (Original) The system of claim 27, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 
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1 29. (Original) The system of claim 27, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

30.-34. (Canceled). 

1 35. (Currently Amended) The system of claim 34 138 , wherein one of said chains of 

2 group credentials comprise one or more proofs of group membership. 

1 36. (Original) The system of claim 35, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 37. (Original) The system of claim 35, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 38. (Currently Amended) The system of claim 34 138, wherein one of said chains of 

2 group credentials comprise one or more proofs of group non-membership. 

1 39. (Original) The system of claim 38, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 40. (Original) The system of claim 38, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

41.-58. (Canceled). 

1 59. (Currently Amended) A client device on a computer network, said client device 

2 configured for requesting one or more resources from a server on the network, in 

3 which access to said resources is so controlled by said server as to make them 

4 available to members of a nested group, said client device comprising: 

5 A. means for presenting to the server a first request to access the resource; 
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6 B. means operable in response to a challenge from the server generated by 

7 the first reguest for performing a search to obtain for obta i ning one or 

8 more chains of group credentials that prove client membership in the 

9 nested group, and 

10 BC. means for transmitting to the server a second request for one or more of 

1 1 the s e rv i c e on e or mor e of th e on e or mor e resources, said second 

12 request including the one or more chains of group credentials that prove 

13 client membership in the nested group. 

1 60. (Original) The client device of claim 59, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 61 . (Original) The client device of claim 60, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 62. (Original) The client device of claim 60, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 63. (Original) The client device of claim 59, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 64. (Original) The client device of claim 63, wherein said proofs of group 

2 nonmembership comprise one or more group non-membership certificates. 

1 65. (Original) The client device of claim 63, wherein said proofs of group 

2 nonmembership comprise one or more group membership lists. 

1 66. (Currently Amended) A client device on a computer network, said client device 

2 configured for requesting one or more resources from a server on the network, in 

3 which access to said resources is so controlled by said server as to make them 

4 available to non-members of a nested group, said client device comprising: 
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5 A. means for presenting to the server a first request to access the resource, 

6 B. means operable in response to a challenge from the server generated by 

7 the first request for performing a search to obtain for obtain i ng one or 

8 more chains of group credentials that prove client non-membership in the 

9 nested group, and 

10 BC. means for transmitting to the server a second request for one or more of 

11 the ono or mor e resources, said second request including the one or more 

12 chains of group credentials that prove client non-membership in the 

13 nested group. 

1 67. (Original) The client device of claim 66, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 68. (Original) The client device of claim 67, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 69. (Original) The client device of claim 67, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 70. (Original) The client device of claim 66, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 71 . (Original) The client device of claim 70, wherein said proofs of group 

2 nonmembership comprise one or more group non-membership certificates. 

1 72. (Original) The client device of claim 70, wherein said proofs of group 

2 nonmembership comprise one or more group membership lists. 



73.-100. (Canceled). 
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1 101. (Currently Amended) A computer program product comprising a computer usable 

2 medium having thereon computer readable program code representing a 

3 sequence of instructions that, when executed by a processor in a network device 

4 requesting one or more resources from a server, in which access to said 

5 resources is so controlled by said server as to make them available to members 

6 of a nested group, configures the network device to operate as a client device 

7 that: 

8 A. presents to the server a first request to access the resource, 

9 in response to a challenge from the server generated by the first request 

10 performs a search to obtain obta i ns one or more chains of group 

11 credentials that prove client membership in the nested group, and 

12 BC. transmits to the server a second request for one or more of th e on e or 

13 mor e resources, said second request including the one or more chains of 

14 group credentials that prove membership in the nested group. 

1 1 02. (Previously Presented) The computer program product of claim 101, wherein one 

2 of said chains of group credentials comprise one or more proofs of group 

3 membership. 

1 103. (Previously Presented) The computer program product of claim 102, wherein 

2 said proofs of group membership comprise one or more group membership 

3 certificates. 

1 104. (Previously Presented) The computer program product of claim 102, wherein 

2 said proofs of group membership comprise one or more group membership lists. 

1 1 05. (Previously Presented) The computer program product of claim 1 01 , wherein one 

2 of said chains of group credentials comprise one or more proofs of group non- 

3 membership. 
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1 106. (Previously Presented) The computer program product of claim 105, wherein 

2 said proofs of group non-membership comprise one or more group non- 

3 membership certificates. 

1 107. (Previously Presented) The computer program product of claim 105, wherein 

2 said proofs of group non-membership comprise one or more group membership 

3 lists. 

1 108. (Currently Amended) A computer program product comprising a computer usable 

2 medium having thereon computer readable program code representing a 

3 sequence of instructions that, when executed by a processor in a network device 

4 requesting one or more resources from a server, in which access to said 

5 resources is so controlled by said server as to make them available to non- 

6 members of a nested group, configures the network device to operate as a client 

7 device that: 

8 A. presents to the server a first request to access the resource, 

9 B. in response to a challenge from the server generated by the first request 

10 performs a search to obtain obta i ns one or more chains of group 

11 credentials that prove client non-membership in the nested group, and 

12 BC. transmits to the server a second request for one or more of tho on e or 

13 mor e resources, said second request including the one or more chains of 

14 group credentials that prove non-membership in the nested group. 

1 109. (Previously Presented) The computer program product of claim 108, wherein one 

2 of said chains of group credentials comprise one or more proofs of group 

3 membership. 

1 110. (Previously Presented) The computer program product of claim 1 09, wherein 

2 said proofs of group membership comprise one or more group membership 

3 certificates. 
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1 111. (Previously Presented) The computer program product of claim 1 09, wherein 

2 said proofs of group membership comprise one or more group membership lists. 

1 112. (Previously Presented) The computer program product of claim 108, wherein one 

2 of said chains of group credentials comprise one or more proofs of group non- 

3 membership. 

1 113. (Previously Presented) The computer program product of claim 112, wherein 

2 said proofs of group non-membership comprise one or more group non- 

3 membership certificates. 

1 114. (Previously Presented) The computer program product of claim 112, wherein 

2 said proofs of group non-membership comprise one or more group membership 

3 lists. 

115.-128. (Canceled). 

1 129. (New) A method of controlling access by a client to a resource that is controlled 

2 by a resource server and is made available to members of a nested group, the 

3 method comprising: 

4 (a) presenting from the client to the resource server a first request to access 

5 the resource; 

6 (b) in response to the first request, sending a challenge from the resource 

7 server to the client to prove membership in the nested group; 

8 (c) in response to the challenge, performing a search at the client to obtain a 

9 chain of group credentials that proves membership in the nested group; 

10 and 

1 1 (d) presenting from the client to the resource server a second request to 

12 access the resource, the second request including the chain of group 

13 credentials. 
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1 130. (New) The method of claim 129 wherein membership in each group is controlled 

2 by a group server and wherein step (c) comprises contacting with the client at 

3 least one group server to obtain therefrom group credentials proving membership 

4 in the group controlled by that server. 

1 131 . (New) The method of claim 130 wherein step (c) further comprises providing from 

2 the client to the at least one group server group credentials proving membership 

3 in a group nested in the group controlled by that server. 

1 1 32. (New) A method of controlling access by a client to a resource that is controlled 

2 by a resource server and is made available to non-members of a nested group, 

3 the method comprising: 

4 (a) presenting from the client to the resource server a first request to access 

5 the resource; 

6 (b) in response to the first request, sending a challenge from the resource 

7 server to the client to prove non-membership in the nested group; 

8 (c) in response to the challenge, performing a search at the client to obtain a 

9 chain of group credentials that proves non-membership in the nested 

10 group; and 

1 1 (d) presenting from the client to the resource server a second request to 

12 access the resource, the second request including the chain of group 

13 credentials. 

1 1 33. (New) The method of claim 132 wherein membership in each group is controlled 

2 by a group server and wherein step (c) comprises contacting with the client at 

3 least one group server to obtain therefrom group credentials proving non- 

4 membership in the group controlled by that server. 

1 134. (New) The method of claim 133 wherein step (c) further comprises providing from 

2 the client to the at least one group server group credentials proving non- 

3 membership in a group nested in the group controlled by that server. 
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1 135. (New) A computer system having a resource to which a client desires access and 

2 which is controlled by a resource server so that the resource is made available to 

3 members of a nested group, the system comprising: 

4 a mechanism in the client that presents to the resource server a first 

5 request to access the resource; 

6 a mechanism in the resource server and operable in response to the first 

7 request, that sends a challenge to the client to prove membership in the nested 

8 group; 

9 a mechanism in the client and operable in response to the challenge, that 

10 performs a search to obtain a chain of group credentials that proves membership 

1 1 in the nested group; and 

12 a mechanism in the client that presents to the resource server a second 

13 request to access the resource, the second request including the chain of group 

14 credentials. 

1 136. (New) The system of claim 135 wherein membership in each group is controlled 

2 by a group server and wherein the mechanism that obtains a chain of group 

3 credentials comprises a mechanism that contacts at least one group server to 

4 obtain therefrom group credentials proving membership in the group controlled 

5 by that server. 

1 137. (New) The system of claim 136 wherein the mechanism that obtains a chain of 

2 group credentials further comprises a mechanism that provides to the at least 

3 one group server group credentials proving membership in a group nested in the 

4 group controlled by that server. 

1 138. (New) A computer system having a resource to which a client desires access and 

2 which is controlled by a resource server so that the resource is made available to 

3 non-members of a nested group, the system comprising: 
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4 a mechanism in the client that presents to the resource server a first 

5 request to access the resource; 

6 a mechanism in the resource server and operable in response to the first 

7 request, that sends a challenge to the client to prove non-membership in the 

8 nested group; 

9 a mechanism in the client and operable in response to the challenge, that 

10 performs a search to obtain a chain of group credentials that proves non- 

11 membership in the nested group; and 

12 a mechanism in the client that presents to the resource server a second 

13 request to access the resource, the second request including the chain of group 

14 credentials. 

1 139. (New) The system of claim 138 wherein membership in each group is controlled 

2 by a group server and wherein the mechanism that obtains a chain of group 

3 credentials comprises a mechanism that contacts at least one group server to 

4 obtain therefrom group credentials proving non-membership in the group 

5 controlled by that server. 

1 140. (New) The system of claim 139 wherein the mechanism that obtains a chain of 

2 group credentials further comprises a mechanism that provides to the at least 

3 one group server group credentials proving non-membership in a group nested in 

4 the group controlled by that server. 
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